The UK’s National Cyber Security Centre (NCSC) has warned organizations about a new take on a known threat from Turla, a hacking group that's been active for several years and thought to be funded by the Kremlin.

Turla is still active and on the UK's radar. The NCSC, a unit of Britain’s spy agency GCHQ, published its first report on Turla's twin espionage tools -- Neuron and Nautilus -- in November.

"The NCSC has observed
these tools being used by the Turla group to maintain persistent network access and
to conduct network operations," it said at the time.

The two tools are installed on Windows PCs, Exchange email servers and IIS web servers following an initial infection with a rootkit called Snake.

The exposure NCSC gave to the tools in its initial report either disrupted Turla's espionage activity or threatened it work enough to warrant Turla engineers redesigning Neuron to better evade detection.

NCSC published its follow up Neuron report on Thursday after discovering a new version, dubbed "Neuron2", that was created just five days after Neuron's exposure in November.

Neuron2 was modified to dodge signatures and indicators of compromise outlined in the November report. One of the key changes is that Neuron now delivered an in-memory payload — or fileless malware — rather than the former method of writing the payload to disk, which was easier to detect.

NCSC described Turla as experienced at maintaining covert access through incident response activities.

“They infect multiple systems within target networks and deploy a diverse range of tools to ensure that they retain a foothold back onto a victim even after the initial infection vector has been mitigated,” NCSC observed.

Neuron consists of a service installed on a compromised web server, and a client on an infected PC that extracts information and hands it to the service for exfiltration. The Neuron service is installed by exploiting flaws in server software, while the client is typically installed via spear-phishing email using Word documents containing malicious macros.

Key changes in the modified version are primarily designed to make detection harder and include:

• The .NET payload is loaded in-memory as opposed to being dropped to disk;

The in-memory modification most likely will allow it evade detection during antivirus disk scans, however NCSC reckons antivirus that scans memory will still likely be able to detect the payload running.

At the same time, NCSC notes the new version’s payload is "encrypted within the loader, which ensures the payload never touches disk in plaintext”.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.